Understanding the EU Cyber Resilience act and achieve product cybersecurity compliance

This whitepaper targets product owners, product security manag- ers and compliance professionals of manufacturers, distributors, and, importers of connected devices marketing to or within the European Union markets.

Understanding the EU Cyber Resilience act and achieve product cybersecurity compliance

Ready to automate your product cybersecurity & compliance?

Make cybersecurity and compliance efficient and effective with ONEKEY.

Book a Demo
Resources
>
Whitepapers
>
Understanding the EU Cyber Resilience act and achieve product cybersecurity compliance
Table of content

Executive Summary

Background

Overview of CRA requirements

Supply chain risks

ONEKEY Product

CRA reporting requirements

Automation & support to achieve & maintain CRA security requirements & compliance

UNDERSTANDING THE EU CYBER RESILIENCE ACT AND ACHIEVE PRODUCT CYBERSECURITY COMPLIANCE

EXECUTIVE SUMMARY

To comply with European Union’s mandatory requirements, as laid out in the upcoming EU Cyber Resilience Act (CRA) on product security and incident reporting, all manufacturers (and their importers and distributors), who are marketing their products to or within the European Union must substantially strengthen cyber-resilience of their products.

To improve the coverage, these efforts must cover a product’s entire supply chain to increase visibility into the product’s software supply chain, avoid lowering the product’s overall security level, or shipping the product with vulnerable software components. In addition, manufacturers (and their importers and distributors) are obliged to inform the European Union Agency for Cyber Security (ENISA) within 24 hours if they become aware of a new product vulnerability affecting one of their products.

As a consequence of the new regulation and to reduce the manual burden on manufacturers (and their importers and distributors), the creation of Software Bill of Materials (SBOMs) and the security analysis of the software supply chain will need to be highly automated in line with the requirements of the CRA.

This white paper summarizes the new mandatory CRA requirements, how to mitigate the upcoming risks, and how the product security process from design through software development to end-of-life must be mature to address these regulatory requirements and the corresponding controls.

Share

BACKGROUND

NEW EUROPEAN CYBER RESILIENCE ACT (CRA) AIMS AT INCREASING SECURITY LEVEL AND TRANSPARENCY

On September 15th, 2022, the European Union Agency for Cybersecurity (ENISA) released the draft of the new Cyber Resilience Act (CRA)1 to be enforced by the European Parliament throughout the European Union, impacting manufacturers, importers, and distributors of products with digital elements. The CRA aims at increasing the level of security of all products with digital elements within the European Union by requiring manufacturers to implement and maintain a cybersecurity framework and to follow this framework throughout the product’s lifecycle. Additionally, enhanced transparency about security properties will enable consumers and businesses to take security-conscious decisions and use products with digital elements more securely.

LIMITED TIME TO ACT FOR PRODUCTS WITH DIGITAL ELEMENTS

This initiative by the ENISA follows increasing damage caused by cybercrime, which resulted in global costs of more than EUR 5.5 trillion in 2021 . Many of these cyberattacks are caused by vulnerabilities in products with digital elements and aggravated by lack of transparency by manufacturers about relevant security properties. While the CRA targets a broad scope of “products with digital elements”, ranging from operating systems, desktop and mobile applications to hardware devices and network equipment, this whitepaper will focus on connected devices and target manufacturers, distributors, and importers of such devices.

It is expected that the new CRA will be enacted as directive by the European Comission early 2024 without the need of the approval
by the European parliament
. This will leave - even with a transition period - only short time to adopt necessary reporting requirements and to comply with the remaining essential requirements. Due to multi-year design & development cycles, all manufacturer need to act now. Only devices regulated by Regulation (EU) 2018/1139 (civil aviation), Regulation (EU) 2017/745 (medical devices), Regulation
(EU) 2017/746 (in vitro diagnostic medical devices), or devices certified in accordance with Regulation (EU) 2019/2144 (type-approval motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles...) are exempt
from the CRA. With the average multi-year timespan between design and production of connected devices this leaves little time
for adoption and applying necessary security changes.

Ready to automate your Product Cybersecurity & Compliance?

Make cybersecurity and compliance efficient and effective with ONEKEY.